Germany Unmasks Key REvil and GandCrab Ransomware Suspects

Executive Summary

German law enforcement officials have taken a significant step in holding cybercriminals accountable by publicly identifying two Russian nationals, Daniil Shchukin (also known as 'UNKN') and Anatoly Kravchuk, as key operatives within the infamous GandCrab and REvil (Sodinokibi) ransomware syndicates. The suspects are wanted in connection with a series of attacks that extorted millions and caused tens of millions of dollars in damages. This action is part of a coordinated European initiative aimed at disrupting Russian-based cybercrime operations. Although the REvil group was officially taken down in 2021, this development underscores that efforts to pursue its members are ongoing, even as challenges remain in bringing them to justice due to their suspected location in Russia.

Threat Overview

GandCrab and its successor, REvil, were two of the most prolific and destructive ransomware-as-a-service (RaaS) operations in history. They pioneered the double extortion tactic, which involves not only encrypting victim data but also exfiltrating it and threatening to leak it publicly if the ransom is not paid (T1486 - Data Encrypted for Impact and T1041 - Data Exfiltration Over C2 Channel).

• GandCrab: Active from 2018 to 2019, it was one of the first highly successful RaaS operations, infecting hundreds of thousands of victims and generating massive profits for its operators and affiliates.
• REvil (Sodinokibi): Emerging shortly after GandCrab's supposed retirement, REvil was widely believed to be operated by the same core group. It became notorious for its high-profile attacks on major corporations and critical infrastructure, demanding multi-million dollar ransoms.

The identification of Shchukin and Kravchuk links specific individuals to these widespread criminal campaigns. They are accused of participating in at least 24 attacks, resulting in $2.3 million in direct extortion payments and an estimated $40 million in total damages, highlighting the significant economic impact of their activities.

Technical Analysis

The TTPs of GandCrab and REvil were well-documented and evolved over time. Common techniques included:

• Initial Access: They frequently gained access by exploiting vulnerabilities in public-facing applications, particularly in RDP servers and VPN appliances (T1190 - Exploit Public-Facing Application), and also through large-scale phishing campaigns (T1566 - Phishing).
• Privilege Escalation: Once inside, they used various techniques to escalate privileges to gain domain administrator rights, often using tools like Mimikatz to harvest credentials (T1003 - OS Credential Dumping).
• Lateral Movement: They moved across the network using tools like PsExec or abusing RDP to deploy the ransomware payload to as many systems as possible (T1021.001 - Remote Services: Remote Desktop Protocol).
• Impact: The final stage involved deploying the ransomware to encrypt files across the network, deleting backups (T1490 - Inhibit System Recovery) to increase pressure on the victim to pay.

Impact Assessment

The impact of these ransomware groups was global and devastating.

• Financial Loss: Victims suffered direct financial losses from ransom payments, business downtime, and recovery costs. The $40 million in damages attributed to just 24 attacks by these two suspects shows the scale of the problem.
• Operational Disruption: Attacks on hospitals, local governments, and businesses caused significant disruption to essential services.
• Data Breaches: The double extortion model meant that even if a company could recover from backups, they still faced a data breach, with sensitive corporate or customer data being leaked online.

The public identification of suspects, while largely symbolic without an arrest, serves to disrupt their operations, apply pressure, and signal a commitment from law enforcement to pursue these actors.

IOCs

No specific IOCs related to the 24 attacks were provided in the source articles.

Detection & Response

Detection Strategies:

1. Behavioral Analysis: Deploy EDR solutions that use behavioral analysis to detect ransomware activity, such as rapid file modification/encryption, attempts to delete shadow copies (vssadmin), and the execution of suspicious commands. This is a core part of Process Analysis (D3-PA).
2. Credential Dumping Detection: Monitor for processes accessing the LSASS memory space, a common technique used by tools like Mimikatz to steal credentials. This is a form of OS Credential Dumping (D3-OCD).
3. Network Monitoring: Look for lateral movement activity, such as an unusual number of RDP or SMB connections originating from a single host. Monitor for large, anomalous outbound data transfers that could indicate data exfiltration prior to encryption.

Mitigation

• Patch Management: Aggressively patch vulnerabilities in internet-facing systems like VPNs and RDP servers. This is the most effective way to prevent initial access (M1051 - Update Software).
• Secure Backups: Maintain offline, immutable, and regularly tested backups. This ensures you can recover without paying a ransom (M1053 - Data Backup).
• Network Segmentation: Segment your network to prevent ransomware from spreading from a single compromised workstation to the entire enterprise (M1030 - Network Segmentation).
• Restrict Privileged Accounts: Enforce the principle of least privilege. Limit the number of domain administrator accounts and use Privileged Access Management (PAM) solutions (M1026 - Privileged Account Management).